问题描述
请帮忙!我在使用 Microsoft 的 System.IdentityModel.Tokens.Jwt 库验证使用 RS256 签名的 JWT 令牌时遇到问题.
Please help! I'm having trouble validating a JWT token signed with RS256 using Microsoft's System.IdentityModel.Tokens.Jwt library.
这个令牌在 JWT.io 上验证得很好.
This token validates just fine on JWT.io.
这是错误:
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureExceptionIDX10503:签名验证失败.尝试的键:'[PII 被隐藏]'.捕获的异常:'[PII 被隐藏]'.token: '[PII is hidden]'.
Microsoft.IdentityModel.Tokens.SecurityTokenInvalidSignatureException IDX10503: Signature validation failed. Keys tried: '[PII is hidden]'. Exceptions caught: '[PII is hidden]'. token: '[PII is hidden]'.
这是示例代码(我使用的是 LinqPad,带有 System.IdentityModel.Tokens.Jwt v5.2.2 NuGet 包):
void Main()
{
var cText =
"-----BEGIN CERTIFICATE-----
" +
"MIIBljCCAUACCQCIDMpqK7WfWDANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJV
" +
"UzETMBEGA1UECAwKU29tZS1TdGF0ZTESMBAGA1UECgwJTHV4b3R0aWNhMRowGAYD
" +
"VQQLDBFMdXhvdHRpY2EgZXllY2FyZTAeFw0xODA1MjMxNTE1MjdaFw0yODA1MjAx
" +
"NTE1MjdaMFIxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMRIwEAYD
" +
"VQQKDAlMdXhvdHRpY2ExGjAYBgNVBAsMEUx1eG90dGljYSBleWVjYXJlMFwwDQYJ
" +
"KoZIhvcNAQEBBQADSwAwSAJBAKuMYcirPj81WBtMituJJenF0CG/HYLcAUOtWKl1
" +
"HchC0dM8VRRBI/HV+nZcweXzpjhX8ySa9s7kJneP0cuJiU8CAwEAATANBgkqhkiG
" +
"9w0BAQsFAANBAKEM8wQwlqKgkfqnNFcbsZM0RUxS+eWR9LvycGuMN7aL9M6GOmfp
" +
"QmF4MH4uvkaiZenqCkhDkyi4Cy81tz453tQ=
" +
"-----END CERTIFICATE-----";
var c = new X509Certificate2(Encoding.ASCII.GetBytes(cText));
var p = new TokenValidationParameters();
p.IssuerSigningKeyResolver = (s, securityToken, identifier, parameters)
=> new[] { new X509SecurityKey(c) };
var h = new JwtSecurityTokenHandler();
var token = @"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJuLmNoaWVmZm8iLCJleHAiOjE1MjcyMzg4ODEsImlzcyI6Imx1eCJ9.BAaYzLwokmdKqLi6zKjGIpDXd__dZxi5PUWWHS3PSLPDYAInzPbEK8o4WxunoGD7eA0qtQNaxNpzeOc3BHrd4w";
h.ValidateToken(token, p, out SecurityToken _);
}
最后也很高兴知道如何删除 [PII is hidden] 以便我可以看到有关错误的更多详细信息.在 app.config 甚至 machine.config 文件中将 enableLoggingKnownPii 和 logKnownPII 设置为 true 似乎没有什么区别.
Finally it would be nice to also know how to remove the [PII is hidden] so I can see more detail on the error. Setting the enableLoggingKnownPii and logKnownPII to true in the app.config or even the machine.config file did not seem to make a difference.
推荐答案
原来X509SecurityKey的KeySize至少需要1024长才能验证.这在异常中并不明显,因为它被 [PII is hidden] 过滤器隐藏了.
It turns out that the KeySize for X509SecurityKey needs to be at least 1024 in length for verifying. This is not obvious from the exception, since it is hidden with the [PII is hidden] filter.
添加以下行使异常文本更加有用(添加到 Startup.cs
中的 ConfigureServices
方法):
Adding the following line made the exception text a lot more useful (add to ConfigureServices
method in Startup.cs
):
IdentityModelEventSource.ShowPII = true;
新的异常文本:
System.ArgumentOutOfRangeException: IDX10631: 用于验证的Microsoft.IdentityModel.Tokens.X509SecurityKey"不能小于1024"位.密钥大小:'512'.
'System.ArgumentOutOfRangeException: IDX10631: The 'Microsoft.IdentityModel.Tokens.X509SecurityKey' for verifying cannot be smaller than '1024' bits. KeySize: '512'.
将非对称密钥的长度增加到 1024 解决了这个问题.
Increasing the length of the assymetric key to 1024 solved the problem.
这篇关于隐藏使用 RS256 PII 的 JWT SecurityTokenInvalidSignatureException的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持跟版网!